Cross-account STS role assumption for agents deployed in a central account

[danievanzyl]

Hello 👋🏻

Our topology:

• Formae agent runs in a Core account (Bastion VPC)
• Agent manages resources in spoke accounts (one agent per spoke account)
• Spoke accounts have dedicated IAM roles with trust policies back to the Core account agent role

The problem:
When the agent applies/discovers against a target, it uses the Core account's credentials (the agent's own IAM role) instead of assuming a role into the spoke account. Our target configs currently only specify region in aws.Config — there's no field to provide a cross-account role ARN or account ID.

Questions:

1. Does aws.Config support an assumeRole or roleArn field to tell the agent to sts:AssumeRole into a spoke account before making API calls?
2. If not natively supported, what's the recommended pattern for cross-account agent deployments? Should we run one agent per account (in each spoke) instead of centralising in Core?
3. If cross-account assume-role is supported, do we also need to provide externalId in the config for confused-deputy protection?
4. Is there a way to scope the agent's assumed session per-target (e.g., different roles for prod vs staging within the same spoke account)?

What we expect the config to look like:

  config = new aws.Config {
    region = "eu-west-1"
    accountId = "SPOKE_ACCOUNT_ID"
    assumeRole = new aws.AssumeRole {
      roleArn = "arn:aws:iam::SPOKE_ACCOUNT_ID:role/formae-target-role-prod"
      externalId = "formae-ritdu-pe"
    }
  }

Thanks!
Danie

[discount-elf]

1.) No, but we plan to support this, soon.
2.) Currently you may specify credential by named profile, or via the aws environment variables.
3.) We will consider this when exposing the assume role configuration.
4.) The only way to do this at the moment is via named profile usage in the configuration per target.

I will look into this and see how quickly we can support the configuration.

[discount-elf]

For the time being actually specifying the role binding via the credentials config may work and referencing that in the target config via the profile.

[profile cross-account-role]
role_arn = arn:aws:iam::123456789012:role/MyAssumedRole
source_profile = default
region = us-east-1

Definitely a hack and we will simply expose the config.